Businesses should embrace hacking to shine a light on their cyber defences

Although newspaper headlines give much attention to state sponsored cyber-attacks, attacks on commercial enterprises also have significant consequences, highlighted recently with the cyber-attack on Yahoo causing the valuation of the company to plummet during acquisition negotiations with Verizon.

Whether mounting attacks on governments, corporations or individuals, it’s clear that the malicious operator is now very well tooled, educated and financed and poses a threat that could have real commercial impact.

Professional hacking has helped highlight how hacking skills can support the modern enterprise. Enter from stage left, the ‘ethical hacker.’

An ethical hacker – also known as a ‘white hat’ – is someone using their expertise in computer and organisational systems to test organisations’ defences, configuration and responses against the tools and techniques that could be expected from a malicious attacker.

To best utilise white hats, many legitimate companies have sprung up offering ‘ethical hacking’ services and organisations such as the EC-Council has launched its very own Certified Ethical Hacking Certification, which seeks to reinforce ethical hacking as a unique and self-regulating profession.

Furthermore, the Bank of England’s CBEST framework (available to firms and FMIs which are considered to be core to the UK financial system) demonstrates the vision of an industry which is at the forefront of combating malicious attacks.

The business case for ethical hacking

So what does the daily routine of an ethical hacker actually look like?

The very first step for an ethical hacker is to gain an understanding of the concerns and business objectives of the organisation they’re working for.

This allows them to determine the parameters of the scenario and, significantly, whether their job will be carried out with the knowledge of wider staff or not. From here, it’s up to the ethical hacker to carry out reconnaissance and prepare their attack – just as a criminal hacker would.

Then it’s show time. The white hat will stage the attack and document all progress in detail so it can be included in a final report that outlines observations and recommendations for future security matters.

The feedback returned from this kind of operation can be invaluable for organisations of all kinds.

While vulnerability scanning and general health-checks enable a basic view of your preventative defences, they won’t provide the insight that real-world testing will.

It’s time to drop the negative reputation of hackers and for businesses to look into how they can leverage their white hat skills to their own benefit.